Date: Thu, 26 Apr 2007 12:51:48 -0400 From: Kevin Hunter <hunteke@earlham.edu> To: hal <hl700@cc.usu.edu> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: How do I prevent unauthorized ssh login attempts? Message-ID: <57D63937-4610-4917-B9DF-2943034D2B18@earlham.edu> In-Reply-To: <07DD32B1-E79A-42D4-9059-2CBD98C8C3C8@cc.usu.edu> References: <23ed14b80704260325w3fc06647vb114cd411625e16b@mail.gmail.com> <20070426083438.52397267.wmoran@potentialtech.com> <B8567964-4339-47EB-ABAD-84ADDAFFA7EE@earlham.edu> <07DD32B1-E79A-42D4-9059-2CBD98C8C3C8@cc.usu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:22a -0400 on 26 Apr 2007, Hal wrote: > On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote: >> In general, utilizing public/private keys for remote >> authentication is /much/ more secure than passwords. > > There is some debate about which is more secure > public/private keys or username/password. Yep, thank you for that reminder. :-) I suppose we now know what I'm arguing! > With public/private keys anyone who has > access to your machine has access to any machine > your machine has a key on. Without a passphrase, I'd agree. The key word that I made sure to put in was 'remote'. With passphrases, it becomes a two-step authentication, one locally to unlock the private key, and one remotely to at least confirm that you have the other half of the key. The other thing that I personally like about public/private key combinations is that for the more lazy of us, we don't always check the fingerprint matches. If I decide to log on to a remote machine to which I've not logged directly on before (e.g. a company NFS- shared home directory), then I can be assured that I'm not falling victim to a man-in-the-middle attack; I can blindly accept the fingerprint, and if it hangs, I can guess that I'm in the middle of an attack attempt, and try another avenue to get where I'm going. > With username/password protection is only as > strong as your password. But your password is > needed. Yep. I agree. > So... Use a firewall which limits access to only machines > you are willing to let in. Yep. I agree. See Bill's page about limiting number of connections per time frame as well. > Use hosts.allow to further restrict access to ssh. Yep. I agree. > Change the ssh port to something not generally known. This I place into the category of security-through-obscurity, which I don't find a particularly comforting method. So it adds a single extra layer, but if a cracker is worth her/his salt, it's easily discovered and, in my opinion, not worth the extra effort it takes me to type -p <PORT> everytime. (Yes, I could use an alias or some such, but that's still extra thought-power that I'd rather place elsewhere.) > In sshd_config use the AllowUsers parameter to allow > specific users to have access to ssh. Yep. I agree. I think that in the end, those who are security conscious, such as presumably you and me, the specifics of how we do it become largely a moot point or highly dependent on what it is that we're securing. My personal preference is to follow the 80/20 rule. I don't have 100% of my time to devote to doing the exact right thing. But I do have 20% of my time to devote to doing 80% of the exact right thing. If/ when that becomes a problem, I'll reevaluate my approach. On that note, you may know better than I do: is there a web page or blog somewhere that coalesces all the different things that should be done/are currently best-practice to secure a system? Especially to a *BSD noob? Thanks, Kevin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57D63937-4610-4917-B9DF-2943034D2B18>